diff options
author | Yasuyuki KOZAKAI <yasuyuki@netfilter.org> | 2007-06-11 20:17:34 +0000 |
---|---|---|
committer | Yasuyuki KOZAKAI <yasuyuki@netfilter.org> | 2007-06-11 20:17:34 +0000 |
commit | f69e30c0107ceff61296045cfd36ea0506d54186 (patch) | |
tree | 12c8f5eed0e469d91fdce7932a85caae6faad16c | |
parent | 1d9872d7d6f2199130bb67fe8988baade53d25c1 (diff) |
'-p all' and '-p 0' should be allowed. And actually ip6tables in kernel
allows '! -p xxx' where xxx is extension header. It matches all valid IPv6
packets.
-rw-r--r-- | ip6tables.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/ip6tables.c b/ip6tables.c index 4510ba4a..e742631e 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -883,13 +883,11 @@ parse_protocol(const char *s) return (u_int16_t)proto; } -/* proto means IPv6 extension header ? */ +/* These are invalid numbers as upper layer protocol */ static int is_exthdr(u_int16_t proto) { - return (proto == IPPROTO_HOPOPTS || - proto == IPPROTO_ROUTING || + return (proto == IPPROTO_ROUTING || proto == IPPROTO_FRAGMENT || - proto == IPPROTO_ESP || proto == IPPROTO_AH || proto == IPPROTO_DSTOPTS); } @@ -2062,10 +2060,11 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle) exit_error(PARAMETER_PROBLEM, "rule would never match protocol"); - if (fw.ipv6.proto != IPPROTO_ESP && - is_exthdr(fw.ipv6.proto)) + if (is_exthdr(fw.ipv6.proto) + && (fw.ipv6.invflags & IP6T_INV_PROTO) == 0) printf("Warning: never matched protocol: %s. " - "use exension match instead.", protocol); + "use extension match instead.\n", + protocol); break; case 's': |